Re: Compromised FBSD/Apache

From: Micheal Patterson (michealat_private)
Date: Tue Nov 19 2002 - 21:32:58 PST

Next message: Jeroen Wesbeek: "Strange apache logs: CONNECT maila.microsoft.com:25"

Previous message: ZeroBreak: "RE: Proxy server hit... Any ideas?"
In reply to: Greg A. Woods: "Re: Compromised FBSD/Apache"
Next in thread: Hernan Otero: "Re: Compromised FBSD/Apache"
Next in thread: D.C. van Moolenbroek: "Re: Compromised FBSD/Apache"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

----- Original Message -----
From: "Greg A. Woods" <woodsat_private>
To: "Greg S. Wirth" <gregat_private>
Cc: <incidentsat_private>
Sent: Monday, November 18, 2002 11:49 AM
Subject: Re: Compromised FBSD/Apache


> [ On Saturday, November 16, 2002 at 08:11:44 (-0900), Greg S. Wirth
wrote: ]
> > Subject: Compromised FBSD/Apache
> >
> > Hello...
> > November 14, 2002 I noticed a service running on port 127/tcp.
> > The box runs only Apache, no SSL.
> > Only open ports before this were 21/22/80
> > PHP was installed 5 days prior to this.
> > PHP runs in safemode.
> > I run netstat -an every morning, which is how I found the issue.
>
> "fstat" is your friend -- it can tell you which process holds the
> listening socket descriptor.  On FreeBSD you have to use 'netstat -aAn'
> first to find the address of the protocol control block (PCB), and then
> grep for that in the output of 'fstat'.  For example:
>
> 12:44 [6] $ netstat -aAn | fgrep '*.80'
> c49e0a40 tcp4       0      0  *.80               *.*                LISTEN
> 12:44 [7] $ fstat | fgrep c49e0a40
> wwwsrvr  thttpd       137    5* internet stream tcp c49e0a40
>
>
> --
> Greg A. Woods
>
> +1 416 218-0098;            <g.a.woodsat_private>;
<woodsat_private>
> Planix, Inc. <woodsat_private>; VE3TCP; Secrets of the Weird
<woodsat_private>
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>

"sockstat" on later versions of FreeBSD will also show you the daemon
running on the port.

micheal@/>sockstat |more
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
root     sshd     62252    5 tcp4   192.168.1.1:22        192.168.1.2:3777
root     sshd       207    4 tcp4   *:22                  *:*


--

Micheal Patterson
Network Administration
Cancer Care Network



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Jeroen Wesbeek: "Strange apache logs: CONNECT maila.microsoft.com:25"
Previous message: ZeroBreak: "RE: Proxy server hit... Any ideas?"
In reply to: Greg A. Woods: "Re: Compromised FBSD/Apache"
Next in thread: Hernan Otero: "Re: Compromised FBSD/Apache"
Next in thread: D.C. van Moolenbroek: "Re: Compromised FBSD/Apache"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Nov 22 2002 - 05:47:45 PST